keys & key management chapters 7, 8
DESCRIPTION
Keys & Key Management Chapters 7, 8. Keys Symmetric Length Public Key Length Key Management Generating, Using, Storing Keys Backup Keys Destroying Keys. Symmetric Key Length. Keys Symmetric Length Depends on algorithm DES 56 bits or 112 bits AES 128, 196, or 256 - PowerPoint PPT PresentationTRANSCRIPT
Keys & Key ManagementChapters 7, 8
Keys– Symmetric Length
– Public Key Length
Key Management
– Generating, Using, Storing Keys
– Backup Keys
– Destroying Keys
Symmetric Key Length
Keys– Symmetric Length
– Depends on algorithm
» DES 56 bits or 112 bits
» AES 128, 196, or 256
– Key space = # of possible keys– DES key space = 256
– AES key space = 2256
Public Key Length
Keys– Depend on the product of two very large
primes
» Easy to multiply
» Hard to factor
– Cracking Public key crypto depends on factoring very large numbers
Current Recommendations
• For confidentiality beyond 2030 use 3072 bit keys for both RSA and D-H.
• 3072 bit keys for RSA is equivalent to 128 bit AES keys
• For more secure asymmetric encryption you have to use Elliptic Curve Cryptography
ECC Keys should be twice the length of the AES key length
Factoring Methods
General number sieve– 2048 bit numbers = 3*1020 mip-years
Special number field sieve
– 2048 bit numbers = 4*1014 mip-years
Generating Keys
Bad/weak keys– Some keys are very weak, some are poor
choices
– Some are prone to dictionary attacks
Random symmetric keys
– Must test for know weak keys for an algorithm
Generating Keys
Key generation– Hash of passwords
– Hash of pass phrases
Information theory
– English 1.3 bits of info per 8 bit character
– 10 words = 49 characters = 64 bit key
Distributing Keys
Large networks have large problems
• 6 person networks require 15 key exchanges
• 1000 person network networks require 500,000 key exchanges
• A very good random number generator is required
Using Keys
Key storage
Sits on disk subject to forensic exam, nosey co-worker, etc.
Who uses the key
Storing Keys
Magnetic card stripes
Smart cards
RFIDs
Some key host
Key escrow server
Backup Keys
What if
• The key owner forgets
• The key owner quits
• The key owner dies
• The computer is stolen/destroyed
Destroying Keys
Keys have a limited lifetime
Validation that the key is destroyed
Ket storage medium must be completely destroyed
Key Management
• PKI – Public Key Infrastructure
• X.509 is the generally accepted standard for PKI held by ITU
• IETF X.509 working group pkix
• MIL uses it.
Certificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/[email protected] Validity Not Before: Jul 9 16:04:02 1998 GMT Not After : Jul 9 16:04:02 1999 GMT
Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/[email protected] Subject Public Key
Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb:
33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3:
d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption
93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1:
5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9f
To